CCO-318: Enable Azure Workload Identity authentication.

[jstuever]

Authenticate with an Azure Workload Identity (AZWI) serviceaccount token when client secret is absent from auth config.

https://issues.redhat.com/browse/CCO-318

[openshift-ci-robot]

@jstuever: This pull request references CCO-318 which is a valid jira issue.

In response to this:

Authenticate with an Azure Workload Identity (AZWI) serviceaccount token when client secret is absent from auth config.

WIP TODO:

• Update azure identity sdk to v1.3.0 (as opposed to beta)
• Update openshift api to include config/v1: Add AzureWorkloadIdentity to TechPreviewNoUpgrade api#1436
• Rebase onto CCO-318: Read feature gates for future usage #908

https://issues.redhat.com/browse/CCO-318

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@jstuever: This pull request references CCO-318 which is a valid jira issue.

In response to this:

Authenticate with an Azure Workload Identity (AZWI) serviceaccount token when client secret is absent from auth config.

WIP TODO:

• Update azure identity sdk to v1.3.0 (as opposed to beta)
• Update openshift api to include config/v1: Add AzureWorkloadIdentity to TechPreviewNoUpgrade api#1436
• Rebase onto CCO-318: Read feature gates for future usage #908

https://issues.redhat.com/browse/CCO-318

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@jstuever: This pull request references CCO-318 which is a valid jira issue.

In response to this:

Authenticate with an Azure Workload Identity (AZWI) serviceaccount token when client secret is absent from auth config.

WIP TODO:

• Update azure identity sdk to v1.3.0 (as opposed to beta)
• Rebase onto CCO-318: Read feature gates for future usage #908

https://issues.redhat.com/browse/CCO-318

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@jstuever: This pull request references CCO-318 which is a valid jira issue.

In response to this:

Authenticate with an Azure Workload Identity (AZWI) serviceaccount token when client secret is absent from auth config.

https://issues.redhat.com/browse/CCO-318

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Miciah]

I've made some minor suggestions, but this looks fine to me overall.
/approve

[Miciah]

Is there a reason to declare err in the outer scope?

Suggested change

	var (
	cred azcore.TokenCredential
	err error
	)
	if config.AzureWorkloadIdentityEnabled && strings.TrimSpace(config.ClientSecret) == "" {
	options := azidentity.WorkloadIdentityCredentialOptions{
	ClientOptions: azcore.ClientOptions{
	Cloud: cloudConfig,
	},
	ClientID: config.ClientID,
	TenantID: config.TenantID,
	TokenFilePath: config.FederatedTokenFile,
	}
	cred, err = azidentity.NewWorkloadIdentityCredential(&options)
	if err != nil {
	return nil, err
	}
	} else {
	options := azidentity.ClientSecretCredentialOptions{
	ClientOptions: azcore.ClientOptions{
	Cloud: cloudConfig,
	},
	}
	cred, err = azidentity.NewClientSecretCredential(config.TenantID, config.ClientID, config.ClientSecret, &options)
	var cred azcore.TokenCredential
	if config.AzureWorkloadIdentityEnabled && strings.TrimSpace(config.ClientSecret) == "" {
	options := azidentity.WorkloadIdentityCredentialOptions{
	ClientOptions: azcore.ClientOptions{
	Cloud: cloudConfig,
	},
	ClientID: config.ClientID,
	TenantID: config.TenantID,
	TokenFilePath: config.FederatedTokenFile,
	}
	var err error
	cred, err = azidentity.NewWorkloadIdentityCredential(&options)
	if err != nil {
	return nil, err
	}
	} else {
	options := azidentity.ClientSecretCredentialOptions{
	ClientOptions: azcore.ClientOptions{
	Cloud: cloudConfig,
	},
	}
	var err error
	cred, err = azidentity.NewClientSecretCredential(config.TenantID, config.ClientID, config.ClientSecret, &options)

[jstuever]

No reason, was just blindly following the enhancement.
Updated.

[Miciah]

Did you mean to delete config.AzureWorkloadIdentityEnabled && in https://github.com/openshift/cluster-ingress-operator/compare/02a3c1434367c4ce82e84f3a42b393de92765541..d8c1cafad42eff9f781248a166e6e591a203ff24?

[jstuever]

No, I did not. I must have fumbled it during a rebase. Fixed. Thanks!

[Miciah]

Would you mind adding godoc for these fields? In particular, it's getting confusing which fields are used in what situations. Looks like SubscriptionID, ClientID, and TenantID are always required; FederatedTokenFile is required when using workload identity; and ClientSecret is required when not using workload identity. Is that correct? Following is my attempt at describing these fields—please check for errors and discard or modify as necessary:

Suggested change

	Environment azure.Environment
	SubscriptionID string
	ClientID string
	ClientSecret string
	FederatedTokenFile string
	TenantID string
	AzureWorkloadIdentityEnabled bool
	// Environment describes the Azure environment: ChinaCloud,
	// USGovernmentCloud, PublicCloud, or AzureStackCloud. If empty,
	// AzureStackCloud is assumed.
	Environment azure.Environment
	// SubscriptionID is the subscription id for the Azure identity.
	SubscriptionID string
	// ClientID is an Azure application client id.
	ClientID string
	// ClientSecret is an Azure application client secret. It is required
	// if Azure workload identity is not used.
	ClientSecret string
	// FederatedTokenFile is the path to a file containing a workload
	// identity token. If FederatedTokenFile is specified and
	// AzureWorkloadIdentityEnabled is true, then Azure workload identity is
	// used instead of using a client secret.
	FederatedTokenFile string
	// TenantID is the Azure tenant ID.
	TenantID string
	// AzureWorkloadIdentityEnabled indicates whether the
	// "AzureWorkloadIdentity" feature gate is enabled.
	AzureWorkloadIdentityEnabled bool

[jstuever]

Done, and thanks!

[Miciah]

The comment can be removed (I missed that 3d26626 removed the _ = sets.New[configv1.FeatureGateName](enabled...).Has("AzureWorkloadIdentity") line that the comment described). Uppercase AzureWorkloadIdentityEnabled looks funny for a function-local variable.

Suggested change

	// example of future featuregate read and usage to set a variable to pass to a controller
	AzureWorkloadIdentityEnabled := featureGates.Enabled(configv1.FeatureGateAzureWorkloadIdentity)
	azureWorkloadIdentityEnabled := featureGates.Enabled(configv1.FeatureGateAzureWorkloadIdentity)

[jstuever]

Done.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Miciah

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Miciah]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[candita]

/retest-required

[jstuever]

/retest

[jstuever]

/retest

[ahardin-rh]

/label docs-approved

[lihongan]

/label qe-approved

[davemulford]

Adding px-approved per a conversation with cfields.

/label px-approved

[jstuever]

Rebased to resolve merge conflicts in go.mod and related module files.

[Miciah]

/lgtm

[jstuever]

/retest

[Miciah]

/hold
#939 is top priority; make sure it merges first.

[Miciah]

/hold cancel
and
/test all
now that #939 has merged.

[Miciah]

e2e-gcp-operator failed because TestInternalLoadBalancerGlobalAccessGCP and TestInternalLoadBalancer failed. This is a known issue (OCPBUGS-13106), unrelated to the changes in this PR.
/override ci/prow/e2e-gcp-operator

[openshift-ci]

@Miciah: Overrode contexts on behalf of Miciah: ci/prow/e2e-gcp-operator

In response to this:

e2e-gcp-operator failed because TestInternalLoadBalancerGlobalAccessGCP and TestInternalLoadBalancer failed. This is a known issue (OCPBUGS-13106), unrelated to the changes in this PR.
/override ci/prow/e2e-gcp-operator

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci]

@jstuever: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[dgoodwin]

/label jira/valid-bug